Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-08-16 22:01:45 +0200
committerJiri Slaby <jslaby@suse.cz>2019-08-16 22:25:11 +0200
commitbf4b0d2c03b5193993f17af44b08163018fa5b30 (patch)
treed52270b2a5357e18b03c763514db62b8838ccfc9
parent940405ae49400290111fbf416058831e17aa1c0a (diff)
iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment
-rw-r--r--patches.kernel.org/5.2.9-142-iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm.patch50
-rw-r--r--series.conf1
2 files changed, 51 insertions, 0 deletions
diff --git a/patches.kernel.org/5.2.9-142-iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm.patch b/patches.kernel.org/5.2.9-142-iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm.patch
new file mode 100644
index 0000000000..d327882251
--- /dev/null
+++ b/patches.kernel.org/5.2.9-142-iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm.patch
@@ -0,0 +1,50 @@
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 22 Jul 2019 13:02:25 +0300
+Subject: [PATCH] iwlwifi: mvm: fix a use-after-free bug in
+ iwl_mvm_tx_tso_segment
+References: bnc#1012628
+Patch-mainline: 5.2.9
+Git-commit: 71b256f8f7a5c09810d2c3ed6165629c2cc0a652
+
+commit 71b256f8f7a5c09810d2c3ed6165629c2cc0a652 upstream.
+
+Accessing the hdr of an skb that was consumed already isn't
+a good idea.
+First ask if the skb is a QoS packet, then keep that data
+on stack, and then consume the skb.
+This was spotted by KASAN.
+
+Cc: stable@vger.kernel.org
+Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 96f8d38ea321..a12ee20fb9ab 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes,
+ unsigned int tcp_payload_len;
+ unsigned int mss = skb_shinfo(skb)->gso_size;
+ bool ipv4 = (skb->protocol == htons(ETH_P_IP));
++ bool qos = ieee80211_is_data_qos(hdr->frame_control);
+ u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0;
+
+ skb_shinfo(skb)->gso_size = num_subframes * mss;
+@@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes,
+ if (tcp_payload_len > mss) {
+ skb_shinfo(tmp)->gso_size = mss;
+ } else {
+- if (ieee80211_is_data_qos(hdr->frame_control)) {
++ if (qos) {
+ u8 *qc;
+
+ if (ipv4)
+--
+2.22.0
+
diff --git a/series.conf b/series.conf
index 39dff01d56..8d2d7376fc 100644
--- a/series.conf
+++ b/series.conf
@@ -1162,6 +1162,7 @@
patches.kernel.org/5.2.9-139-mwifiex-fix-802.11n-WPA-detection.patch
patches.kernel.org/5.2.9-140-iwlwifi-don-t-unmap-as-page-memory-that-was-map.patch
patches.kernel.org/5.2.9-141-iwlwifi-mvm-fix-an-out-of-bound-access.patch
+ patches.kernel.org/5.2.9-142-iwlwifi-mvm-fix-a-use-after-free-bug-in-iwl_mvm.patch
########################################################
# Build fixes that apply to the vanilla kernel too.